https://community.splunk.com/t5/Splunk-Search/field-extraction-trouble-with-forwarders/m-p/81105#M20505 <P>I'm really frustrated and need a sanity check on what I'm doing. I've got an indexer which is deploying apps to several heavy forwarders. Each app has inputs, props and transforms for specific server type data. The inputs and props are working great, however I can't get any field extraction to show up on the indexer.</P> <P>One example:</P> <P>props.conf ------</P> <PRE><CODE>[stellent_log] TRANSFORMS-stellent = stellent_setnull, stellent_keep *(these work)* REPORT-verbose = verbose_status REPORT-heap = heap_status TIME_FORMAT = %m.%d %H:%M:%S.%3N </CODE></PRE> <P>transforms.conf ------</P> <PRE><CODE>[verbose_status] REGEX = Configuring tracing verbose:\s+(\w+): FORMAT = verbose_status::$1 [heap_status] REGEX = (?i)are\s+(?&lt;heapfree&gt;\d+)\s+free[^\d]+\s+(?&lt;heaptotal&gt;\d+)\s+meg </CODE></PRE> <UL> <LI>I've read <A href="http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F" rel="nofollow">http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F</A> (may not have understood this fully)</LI> <LI>Tested the regex at regexpal.com</LI> <LI>Copied the transform to $SPLUNK_HOME/etc/system/local/ to see if it was in the wrong place</LI> <LI>Extracted fields using the same regex from the WebUI which saved in $SPLUNK_HOME/etc/users/admin/search/local (worked)</LI> </UL> <P>The only field extraction I have working is from conf files local to the indexer. Am I making a simple mistake?</P> Sat, 30 Oct 2010 22:56:05 GMT jhedgpeth 2010-10-30T22:56:05Z https://community.splunk.com/t5/Splunk-Search/field-extraction-trouble-with-forwarders/m-p/81105#M20505 <P>I'm really frustrated and need a sanity check on what I'm doing. I've got an indexer which is deploying apps to several heavy forwarders. Each app has inputs, props and transforms for specific server type data. The inputs and props are working great, however I can't get any field extraction to show up on the indexer.</P> <P>One example:</P> <P>props.conf ------</P> <PRE><CODE>[stellent_log] TRANSFORMS-stellent = stellent_setnull, stellent_keep *(these work)* REPORT-verbose = verbose_status REPORT-heap = heap_status TIME_FORMAT = %m.%d %H:%M:%S.%3N </CODE></PRE> <P>transforms.conf ------</P> <PRE><CODE>[verbose_status] REGEX = Configuring tracing verbose:\s+(\w+): FORMAT = verbose_status::$1 [heap_status] REGEX = (?i)are\s+(?&lt;heapfree&gt;\d+)\s+free[^\d]+\s+(?&lt;heaptotal&gt;\d+)\s+meg </CODE></PRE> <UL> <LI>I've read <A href="http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F" rel="nofollow">http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F</A> (may not have understood this fully)</LI> <LI>Tested the regex at regexpal.com</LI> <LI>Copied the transform to $SPLUNK_HOME/etc/system/local/ to see if it was in the wrong place</LI> <LI>Extracted fields using the same regex from the WebUI which saved in $SPLUNK_HOME/etc/users/admin/search/local (worked)</LI> </UL> <P>The only field extraction I have working is from conf files local to the indexer. Am I making a simple mistake?</P> Sat, 30 Oct 2010 22:56:05 GMT https://community.splunk.com/t5/Splunk-Search/field-extraction-trouble-with-forwarders/m-p/81105#M20505 jhedgpeth 2010-10-30T22:56:05Z https://community.splunk.com/t5/Splunk-Search/field-extraction-trouble-with-forwarders/m-p/81106#M20506 <P>All search-time extractions must be defined on the search head (which appears to be the same as the indexer in your case).</P> Sat, 30 Oct 2010 23:41:20 GMT https://community.splunk.com/t5/Splunk-Search/field-extraction-trouble-with-forwarders/m-p/81106#M20506 gkanapathy 2010-10-30T23:41:20Z https://community.splunk.com/t5/Splunk-Search/field-extraction-trouble-with-forwarders/m-p/81107#M20507 <P>Also, unless you have a good specific reason for doing otherwise, it's recommended that you use light forwarders rather than heavy.</P> Sat, 30 Oct 2010 23:42:34 GMT https://community.splunk.com/t5/Splunk-Search/field-extraction-trouble-with-forwarders/m-p/81107#M20507 gkanapathy 2010-10-30T23:42:34Z https://community.splunk.com/t5/Splunk-Search/field-extraction-trouble-with-forwarders/m-p/81108#M20508 <P>Thanks for responding. You're right about the indexer/search combo. Since I'm preparing this for my users and I already know the data, I was trying to config this ahead of time (which I thought was non-search-time), or is there only "search-time" extraction? On the other point, do you know where I'd find info to make an educated choice about light/heavy forwarders? My main factor now was that I'm configuring not to forward GBs of data that I can't afford. thanks!</P> Sat, 30 Oct 2010 23:54:53 GMT https://community.splunk.com/t5/Splunk-Search/field-extraction-trouble-with-forwarders/m-p/81108#M20508 jhedgpeth 2010-10-30T23:54:53Z https://community.splunk.com/t5/Splunk-Search/field-extraction-trouble-with-forwarders/m-p/81109#M20509 <P>The article about "where do I configure my settings" is fairly explicit about which settings are search-time (and therefore on the search head) and which are input-time or parse-time. If you don't know specifically that you should use a heavy forwarder, then you should use a light forwarder.</P> Sun, 31 Oct 2010 13:54:43 GMT https://community.splunk.com/t5/Splunk-Search/field-extraction-trouble-with-forwarders/m-p/81109#M20509 gkanapathy 2010-10-31T13:54:43Z